CVE-2026-9960 Google CVE debrief

Who should care

Organizations with managed Chrome deployments, particularly those in high-threat environments where users handle untrusted PDF content or where browser sandbox escapes are a critical concern.

Technical summary

The vulnerability exists in PDFium's font parsing logic. An integer overflow during processing of a malformed font file can lead to memory corruption. Because the attacker must first compromise the renderer process, this represents a second-stage exploit that elevates from renderer compromise to sandboxed code execution. The fix is included in Chrome 148.0.7778.216.

Defensive priority

high

Recommended defensive actions

• Upgrade Google Chrome to version 148.0.7778.216 or later across all managed endpoints.
• Prioritize patching for systems where users routinely open untrusted PDF documents or browse to potentially malicious sites.
• If immediate patching is not feasible, consider restricting Chrome from rendering PDFs via enterprise policy (e.g., disabling the built-in PDF viewer) until updates can be deployed.
• Monitor for unexpected renderer crashes or sandbox escape indicators that may suggest exploitation attempts.

Evidence notes

The NVD record and Chrome release notes confirm the vulnerability type (integer overflow), affected component (PDFium), attack vector (crafted font file), and patched version (148.0.7778.216). The Chromium issue tracker entry is marked as permissions-required.

Official resources